In a recent discovery by Kaspersky, a deep investigation into Operation Triangulation reveals the extent of a sophisticated iOS zero-day attack campaign targeting Apple iOS devices. The attackers employed the TriangleDB implant, which comprises four modules dedicated to recording the microphone, extracting iCloud Keychain data, stealing information from SQLite databases used by various apps, and estimating victim locations.
This revelation came to light in June 2023, exposing a zero-click exploit that harnessed two zero-day security flaws (CVE-2023-32434 and CVE-2023-32435) within the iMessage platform. This method allowed malicious attachments to gain complete control over the targeted device and its user data.
Furthermore, the full scale and identity of the threat actor remain shrouded in mystery, and even Kaspersky itself fell victim to the campaign at the beginning of the year. This prompted the cybersecurity firm to scrutinize the various components of this advanced persistent threat (APT) platform. The linchpin of the attack framework is the TriangleDB backdoor, deployed after the attackers obtain root privileges through CVE-2023-32434, a kernel vulnerability enabling the execution of arbitrary code.
A Binary Validator is also delivered, responsible for erasing traces of exploitation, deleting evidence of malicious attachments, retrieving device information, tracking ad activity, and obtaining a list of installed apps. The results of these actions are encrypted and sent to a command-and-control (C2) server to fetch the TriangleDB implant. The attackers have shown a profound understanding of iOS internals, using private undocumented APIs to ensure their actions remain hidden, indicating their intent to fly under the radar and avoid detection.